Now that big-box retailers have stuck their fat fingers into mobile payments, can the next major credit card breach be far behind?
With mobile payments, it would seem that we're entering yet another new
battlefront located at the corner of technology, crime, and our wallets.
Forgive me if I use past as prologue and predict that this will not go
well, at least for the short term.
Payments via NFC (near-field communications) have been possible for a
while now, and we've had payments via RFID for even longer. However, the
United States is still mired in the card-swipe era, while most of the
rest of the world has moved on to chip-and-pin or tap payments, which
are rooted in the established technology of point-of-sale payment
processors. That means you have a physical item such as a credit card or
fob. When you wave that item by a scanner and tap the scanner to
confirm, the device is authenticated and charges are made to your
account via a clearinghouse.
Now, however, there is a major war brewing between smartphone companies
and retailers over how to make it simple and secure to use a smartphone
to authorize payments at physical retailers. Essentially, at least in
the United States, the idea is to skip the traditional methods
altogether and head straight to mobile-based payments.
Both Apple and Google are heavily involved. Apple's new Apple Pay framework
has been developed to allow iPhone users to essentially upload their
credit and debit cards to their phone, then select the appropriate card
to use when making payments. By waving the phone over a sensor with your
finger on the phone’s fingerprint scanner, you validate the charge.
Apple stands in the middle, both paying the retailer and debiting your
bank account or charging your credit card.
In for a penny, in for a pound, paying for goods and services in this
method seems to be the way forward. But in order for mobile payments to
happen, everyone needs to work from the same playbook, including the
retailers themselves.
Naturally, the retailers don't want to play ball. They are developing
their own mobile payment system called CurrentC that would be offered to
customers as a smartphone application, allowing the same basic
functionality, but delivered in a significantly different way on the
back end -- a way that appears to be worryingly insecure.
The upside for retailers in this game is sizable. If they can move their
customers over to their payment system, they can essentially shortcut
the banks and payment processors, saving a few percent on each purchase
made. At scale, that translates into a lot of money staying with the
retailer instead of going to a payment processor.
However, it's not feasible for every retailer to produce and maintain
their own infrastructure to handle payments like this, so a number of
large retailers (including Walmart, Target, and Best Buy) banded
together to create CurrentC. With enough large retailers on board, the
group hopes to make CurrentC the de facto standard.
Given the amazingly poor data security that large retailers like Target, Home Depot, and others have demonstrated, you might see where this could be a problem. In fact, it's already a problem. CurrentC has already lost data to malicious attackers.
I've noted before that we have a fundamentally broken method of dealing with customer data loss events.
We have no restrictions on the data collected by large retailers, and
no substantive penalties are imposed when retailers lose data on
millions of their customers.
Nearly everyone who has had a credit card or debit card and made
purchases at a big chain store has had their ID and card information
stolen. The numbers are in the many hundreds of millions, and new
reports of further data loss are frighteningly frequent. Only last month
I had to replace my debit card because I bought lightbulbs at Home
Depot. Last year, it was a credit card I used at Target. The time
before, another card had to be replaced because of retailer data loss,
but the bank wouldn't name the retailer.
These blatant and repeated failures cause financial harm and distress to
millions of people every year, yet they are still not being dealt with
at any level that might cause some change in the industry. I say that a
data loss event should result in the retailer paying a $25 fine to every
affected customer. That would certainly get some attention in the
100-million-plus losses, but would also have to be accompanied by
mandatory reporting legislation.
These events need to be handled at a legislative level, but will
unfortunately take more time and more data loss events. In the meantime,
these same retailers want us to trust them with direct access to our
bank accounts and other financial instruments.
To state it plainly, the same companies that have suffered massive
breaches of customer credit card data due to their lax security
practices now want even more of our sensitive data, and to provide even
more avenues for fraud and identity theft. As part of that goal, they
are actively blocking other payment types, such as Apple Pay and Google
Wallet.
If CurrentC succeeds, it will be despite all reason and recent history.
We can only hope that some sanity is reclaimed in this mess before more
innocent bystanders lose their data.
Meanwhile, at a cafe somewhere in Europe, a hacker with a laptop and a
botnet grins, orders Champagne, and prepares for a new haul of
identities, courtesy of your big-box stores.
Source: http://www.infoworld.com
No comments:
Post a Comment